Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

Field extraction help - gnmap and troubleshooting

0

Hi there,Hoping someone can point me in the right direction.

I'm trying to parse greppable nmap (*.gnmap) outputs for the repeated ports fields. I've seen a few attempts at this around; the best so far being for a live search http://splunk-base.splunk.com/answers/22979/line_breaker-for-nmap-outputSo far, my attempts to convert the live search to a transform are unsuccessful.

I see none of the fields, post indexing however, and am unable to locate how to troubleshoot this further. Other fields, such as hostname and ip address successfully extract with other transforms.

The btool is not very informative for this context, and I do see that, as of ~2 years ago, troubleshooting field extractions was a requested feature http://splunk-base.splunk.com/answers/157/feature-request-troubleshootingdebugging-for-field-extraction-config-files.

People who like this

1 Answer

Okay that was a headache, but satisfying nonetheless - in hindsight (as it always is), it was actually much more straightforward than then numerous avenues I looked into.

I was able to extract all services, ports, daemons and banners using the following setup below. In addition, I found it useful to separate out subdomains also. Unfortunately the regexes will not work for all domains/subdomains, but YMMV.

One specific note regarding greppable NMAP output that you should take care with. A very small number of services discovered by NMAP and dumped into greppable NMAP output are formatted incorrectly. e.g.: